76 popular iOS apps are exposing user data to hackers – over 18 million downloads

Will Strafach was scanning the binary codes of applications in the iOS App Store for his service verify.ly – a web-based mobile app analysis service – when he detected that over 76 popular apps in the store are vulnerable to data interception.

“Automatically scanning the binary code of applications within the Apple App Store en-masse allowed us to get a vast amount of information about these security issues,” Strafach, a cyber security expert, wrote in a post today.

The post detailed how many of the vulnerable apps mishandle the way they transmit data. “The App Transport Security feature of iOS does not and cannot help block this vulnerability from working,” Strafach said. ATS was introduced in iOS 9 to help improve user security and privacy with HTTPS. While Apple had set January1 2017 as a deadline for developers to adopt HTTPS, the date has now been pushed back.

These vulnerable apps are exposing user data to interception because of being misconfigured as they fail at handling encryption. The issue relies in misconfigured networking code which causes ATS to see even the non-secure connections as valid TLS connections. This means these apps will accept an encryption certificate, even if it’s invalid.

The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range. Such an attack can be conducted using either custom hardware, or a slightly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.

Strafach said he has confirmed that each vulnerable app was exposing data with an iPhone running iOS 10 and “a ‘malicious’ proxy to insert an invalid TLS certificate into the connection for testing.” He added that the vulnerable iOS apps have been downloaded for over 18 million times, according to figures from Apptopia.

There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.

Users are, however, advised to switch off Wi-Fi when they’re in a public location, as “the vulnerability is very likely to only be exploited if your connection is flowing over Wi-Fi.”